I’ve just been quoted nearly £15,000 to protect 35 desktops, 6 laptops and 4 servers with whitelisting software. This includes a £6,000 fee for the whitelisting management server license which is a one off, and subsequent annual costs which comprise maintenance fees only and which come to £2,700.

I would like to implement application whitelisting at the charity I work for, but these prices are outside my budget. Does anyone out there use application whitelisting? If so, are you aware of any cheaper products?

TBH though, removing local admin rights for all users usually solves 95% of problems IME, assuming you can get management to agree to it. There’s often opposition to taking away something if users have always had it.

Thanks for the reply. Yes, all our staff have admin rights, but what I wish to protect against is zero-day threats, particularly ransomware which operates within a user’s access to data. I’ve not used Applocker before, but it looks as though it will do what I need.

What AV do you use? Some of them have appblocking capability, I know Sophos does.

Thanks.

Yes – we use Sophos, but it only works on known executables. It’s whitelisting only works one way. They do have a server version, but nothing for clients as far as I am aware, although one of the guys I buy our bulk software purchases from is looking into this.

That’s pretty poor, you can only block applications you already know about.

Out of ideas then I’m afraid, the products I’ve used (Lumension Sanctuary, AppSense) aren’t likely to be in the price range for a charity unless they do some very favourable licensing. The only other option I know of is GPOs and MD5 hashing, but AFAIK it’s the same as the Sophos option, you can only block apps if you know their MD5 hash rather than only allowing apps you choose. It was meant for blocking things like AIM or MSN Messenger back in the Server 2003 days. Upgrading all your clients to Enterprise might be the cheapest option, from what I remember Microsoft’s charity licensing prices are quite favourable. That’s assuming you aren’t already licensed for it, one charity in my experience had Enterprise licences in VLSC but for reasons best known to themselves were running Pro on all clients!

Thanks. To be fair to Sophos, the component is called Application Control, and not whitelisting.

However, you may helped me with the suggestion to upgrade to Enterprise. I’m on leave until next week so will have a proper look at that option when I return. It may be the cheapest way to deal with this.